Amazonã¯ãã³ã³ãããå®è¡ããã³å¹ççã«ç®¡çããããã®ç¹æ®ãªãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ããBottlerocketã®æçµãªãªãŒã¹ãçºè¡šããŸããã ããã«ãã±ããïŒã¡ãªã¿ã«ãããã¯å°ããªèªå®¶è£œã®é»ç²ãã±ããã®ååã§ãïŒã¯ã³ã³ããçšã®æåã®OSã§ã¯ãããŸããããAWSãµãŒãã¹ãšã®ããã©ã«ãã®çµ±åã®ãããã§æ®åããå¯èœæ§ããããŸããã·ã¹ãã ã¯Amazonã®ã¯ã©ãŠãã«éç¹ã眮ããŠããŸããããªãŒãã³ãœãŒã¹ã䜿çšãããšãããŒã«ã«ã®ãµãŒããŒãRaspberry Piã競åããã¯ã©ãŠããããã«ã¯ã³ã³ããã®ãªãç°å¢ãªã©ãã©ãã«ã§ãæ§ç¯ã§ããŸãã ããã¯ãRedHatãåã蟌ãã CoreOSãã£ã¹ããªãã¥ãŒã·ã§ã³ã®éåžžã«äŸ¡å€ã®ãã代æ¿åã§ãã
äžè¬ã«ãAmazon WebServicesã«ã¯ãã§ã«AmazonLinuxããããŸããããã¯æè¿2çªç®ã®ããŒãžã§ã³ã§ãªãªãŒã¹ãããŸãããããã¯Dockerã³ã³ããã§ããŸãã¯Linux KVMãã€ããŒãã€ã¶ãŒãMicrosoft Hyper-VãVMwareESXiã§å®è¡ã§ããæ±çšãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ãã AWSã¯ã©ãŠãã§å®è¡ããããã«æé©åãããŠããŸãããBottlerocketã䜿çšãããšãããå®å šã§ææ°ã®ãããå°ãªããªãœãŒã¹ã䜿çšããæ°ããã·ã¹ãã ã«ã¢ããã°ã¬ãŒãããããšããå§ãããŸãã
AWSã¯2020幎3æã«ããã«ãã±ãããçºè¡š..ã圌女ã¯ããã«ããããæåã®ãã³ã³ããçšLinuxãã§ã¯ãªãããšãèªèããCoreOSãRancher OSãããã³ProjectAtomicãã€ã³ã¹ãã¬ãŒã·ã§ã³ã®æºãšããŠæããŸãããéçºè ã¯ããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ã¯ãAmazonèŠæš¡ã§ã®é·æã«ãããæ¬çªãµãŒãã¹ã§åŠãã æèšãšãã³ã³ããã®å®è¡æ¹æ³ã«ã€ããŠéå»6幎éã«åŸãçµéšã®çµæãã§ãããšæžããŠããŸãã
極端ãªããããªãºã
Linuxã§ã¯ãã³ã³ãããŒã®å®è¡ã«å¿ èŠã®ãªããã®ã¯ãã¹ãŠåé€ãããŠããŸããå瀟ã«ããã°ããã®èšèšã«ããæ»æé¢ãæžå°ããŸãã
ããã¯ãããŒã¹ã·ã¹ãã ã«ã€ã³ã¹ããŒã«ãããããã±ãŒãžãå°ãªããªãããšãæå³ããŸããããã«ãããOSã®ä¿å®ãšæŽæ°ã容æã«ãªããäŸåé¢ä¿ã«ããåé¡ã®å¯èœæ§ãæžãããªãœãŒã¹ã®äœ¿çšéãæžããŸããåºæ¬çã«ãããã®ãã¹ãŠã¯å¥ã ã®ã³ã³ããå ã§æ©èœããåºæ¬ã·ã¹ãã ã¯å®è³ªçã«ããåºãã§ãã
ãŸããAmazonã¯ãã¹ãŠã®ã·ã§ã«ãšã€ã³ã¿ãŒããªã¿ãŒãåé€ãããŠãŒã¶ãŒããããã䜿çšãããã誀ã£ãŠç¹æš©ããšã¹ã«ã¬ãŒãããããããªã¹ã¯ãæé€ããŸãããããŒã¹ã€ã¡ãŒãžã«ã¯ãããããªãºã ãšã»ãã¥ãªãã£ã®ããã«ãã³ãã³ãã·ã§ã«ãSSHãµãŒããŒãPythonãªã©ã®è§£éãããèšèªããããŸããã管çè ããŒã«ã¯ãããã©ã«ãã§ç¡å¹ã«ãªã£ãŠããå¥ã®ãµãŒãã¹ã³ã³ããã«ç§»åãããŸããã
ã·ã¹ãã 管çã¯ãAPIãšãªãŒã±ã¹ãã¬ãŒã·ã§ã³ã®2ã€ã®æ¹æ³ã§æäŸãããŸãã
åã ã®ãœãããŠã§ã¢ãæŽæ°ããããã±ãŒãžãããŒãžã£ãŒã®ä»£ããã«ãBottlerocketã¯å®å šãªãã¡ã€ã«ã·ã¹ãã ã€ã¡ãŒãžãããŠã³ããŒãããŠåããŒãããŸããããŠã³ããŒãã倱æããå Žåãèªåçã«ããŒã«ããã¯ãããã¯ãŒââã¯ããŒãã®å€±æã«ããæåããŒã«ããã¯ïŒAPIãä»ããã³ãã³ãïŒãããªã¬ãŒãããå¯èœæ§ããããŸããTUFïŒæŽæ°ãã¬ãŒã ã¯ãŒã¯ïŒã¯ã代æ¿ãŸãã¯ãã¢ã³ããŠã³ããããŒãã£ã·ã§ã³ã«ç»åããŒã¹ã®ã¢ããããŒããããŠã³ããŒãããŸãã 2ã€ã®ãã£ã¹ã¯ããŒãã£ã·ã§ã³ãã·ã¹ãã ã«å²ãåœãŠããããã®ãã¡ã®1ã€ã«ã¯ã¢ã¯ãã£ããªã·ã¹ãã ãå«ãŸããæŽæ°ã¯2çªç®ã«ã³ããŒãããŸãããã®å Žåãã«ãŒãããŒãã£ã·ã§ã³ã¯èªã¿åãå°çšã¢ãŒãã§ããŠã³ããããããŒãã£ã·ã§ã³ã¯ãã¡ã€ã«ã·ã¹ãã ãšãšãã«tmpfsRAMã«ããŠã³ããããŸãã
/etc
åèµ·ååŸãå
ã®ç¶æ
ã«æ»ããŸããæ§æãã¡ã€ã«ã®çŽæ¥å€æŽã¯/etc
ãµããŒããããŠããŸãããèšå®ãä¿åããã«ã¯ãAPIã䜿çšããããæ©èœãå¥ã®ã³ã³ãããŒã«ç§»åããŸãã
APIæŽæ°ã¹ããŒã
å®å šæ§
ã³ã³ããã¯ãæšæºã®Linuxã«ãŒãã«ã¡ã«ããºã ïŒcgroupsãnamespacesãseccompïŒã«ãã£ãŠäœæãããSELinuxã¯ã匷å¶ã¢ã¯ã»ã¹å¶åŸ¡ã®ã·ã¹ãã ãšããŠãã€ãŸãè¿œå ã®åé¢ã®ããã«ã匷å¶ãã¢ãŒãã§äœ¿çšãããŸãã
ããã©ã«ãã§ã¯ãã³ã³ãããšã«ãŒãã«éã§ãªãœãŒã¹ãå ±æããããã®ããªã·ãŒãæå¹ã«ãªã£ãŠããŸãããã€ããªã¯ããŠãŒã¶ãŒãŸãã¯ããã°ã©ã ãå®è¡ã§ããªãããã«ãã©ã°ã§ä¿è·ãããŠããŸãããŸãã誰ãããã¡ã€ã«ã·ã¹ãã ã«ã¢ã¯ã»ã¹ããå ŽåãBottlerocketã¯ãå ããããå€æŽããã§ãã¯ããã³è¿œè·¡ããããã®ããŒã«ãæäŸããŸãã
ãæ€èšŒæžã¿ããŒããã¢ãŒãã¯ãdevice-mapper-verityé¢æ°ïŒdm-verityïŒãä»ããŠå®è£ ãããŸããïŒãèµ·åæã«ã«ãŒãããŒãã£ã·ã§ã³ã®æŽåæ§ããã§ãã¯ããŸããAWSã¯ãdm-verityããåºç€ãšãªãã·ã¹ãã ãœãããŠã§ã¢ã®äžæžããªã©ãOSäžã§ãã«ãŠã§ã¢ãå®è¡ãããã®ãé²ãããã®æŽåæ§ãã§ãã¯ãæäŸããLinuxã«ãŒãã«ã®æ©èœããšèª¬æããŠããŸãã
ã·ã¹ãã ã«ã¯eBPFïŒAlexey Starovoitovã«ãã£ãŠéçºãããæ¡åŒµBPF ïŒããããããã«ãããã«ãŒãã«ã¢ãžã¥ãŒã«ãäœã¬ãã«ã®ã·ã¹ãã æäœçšã®ããå®å šãªBPFããã°ã©ã ã«çœ®ãæããããšãã§ããŸãã
å®è¡ã¢ãã« | ãŠãŒã¶ãŒå®çŸ©ã® | ã³ã³ãã€ã« | å®å šæ§ | æ éã¢ãŒã | ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ | |
ãŠãŒã¶ãŒ | ä»äº | ã¯ã | ã©ãã | ãŠãŒã¶ãŒæš©é | å®è¡ãäžæãã | ã·ã¹ãã åŒã³åºããé害 |
è¯ | ä»äº | çªå· | éç | çªå· | ãããã¯ã³ã¢ | ãŸã£ãã |
BPF | ã€ãã³ã | ã¯ã | JITãCO-RE | æ€èšŒãJIT | ãšã©ãŒã¡ãã»ãŒãž | éããããã«ã㌠|
AWSã®æ å ±çã«ãããšãBPFã¯éåžžã®ãŠãŒã¶ãŒã¬ãã«ãŸãã¯ã«ãŒãã«ã¬ãã«ã®ã³ãŒããšã¯ç°ãªããBottlerocketã¯ã管çè æš©éãæ¬çªãµãŒããŒã«æ¥ç¶ã§ããªãããã«ããããšã§ã»ãã¥ãªãã£ãããã«åŒ·åãããªãã¬ãŒãã£ã³ã°ã¢ãã«ãæ¡çšããããå¶åŸ¡ãå¶éãããŠãã倧èŠæš¡ãªåæ£ã·ã¹ãã ã«é©ããŠããŸããåã ã®ãã¹ãã®äžã« "ã
管çè ã³ã³ããã¯ãã·ã¹ãã 管çè åãã«æäŸãããŠããŸããããããAWSã¯ã管çè ãããã«ãã±ããå ã§äœæ¥ããå¿ èŠããããšã¯èããŠããŸããããå¥ã®ããã«ãã±ããã€ã³ã¹ã¿ã³ã¹ã«ãã°ã€ã³ãããšããè¡çºã¯ãé »ç¹ã§ãªãæäœãã€ãŸãé«åºŠãªãããã°ãšãã©ãã«ã·ã¥ãŒãã£ã³ã°ãç®çãšããŠããŸãããšéçºè ã¯æžããŠããŸãã
ãã³ãèšèª
ã«ãŒãã«äžã®OSããŒã«ã¯ãã»ãšãã©ãRustã§èšè¿°ãããŠããŸãããã®æ§è³ªäžããã®èšèªã¯ãå±éºãªã¡ã¢ãªã¢ã¯ã»ã¹ã®å¯èœæ§ãäœæžãããŸããã¹ã¬ããéã®ç«¶åç¶æ ã解æ¶ããŸãã
ããã©ã«ãã®ãã«ããã©ã°ãé©çšãããŠããå Žå
--enable-default-pie
ãš--enable-default-ssp
å®è¡å¯èœãã¡ã€ã«ïŒã®ã¢ãã¬ã¹ç©ºéã®ã©ã³ãã åå¯èœã«ããããã«å®è¡å¯èœãã¡ã€ã«ã®äœçœ®ã«äŸåããªããPIEïŒãšã¹ã¿ãã¯ãªãŒããŒãããŒã«å¯Ÿããä¿è·ãã
C / Cãžã®ãã±ããã®ãã++ããã«ãã©ã°ãå«ã
-Wall
ã-Werror=format-security
ã-Wp,-D_FORTIFY_SOURCE=2
ã-Wp,-D_GLIBCXX_ASSERTIONS
ããã³-fstack-clash-protection
ã
RustãšC / C ++ã®ä»ã«ãäžéšã®ããã±ãŒãžã¯Goèšèªã§èšè¿°ãããŠããŸãã
AWSãµãŒãã¹ãšã®çµ±å
åæ§ã®ã³ã³ãããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãšã®éãã¯ãAmazonãBottlerocketãAWSã§å®è¡ããä»ã®AWSãµãŒãã¹ãšçµ±åããããã«æé©åããããšã§ãã
æã人æ°ã®ããã³ã³ãããªãŒã±ã¹ãã¬ãŒã¿ãŒã¯Kubernetesã§ãããããAWSã¯ç¬èªã®Enterprise Kubernetes ServiceïŒEKSïŒãšã®çµ±åãå®è£ ããŠããŸãããªãŒã±ã¹ãã¬ãŒã·ã§ã³ããŒã«ã¯ãåå¥ã®bottlerocket-control-containerã§æäŸãããŸããããã¯ãããã©ã«ãã§æå¹ã«ãªã£ãŠãããAPIããã³AWSSSMãšãŒãžã§ã³ããä»ããŠç®¡çãããŸãã
éå»ã«ãããã®ã€ãã·ã¢ããã®ããã€ãã倱æããããšãèãããšãBottlerocketãé¢éžãããã©ããã確èªããã®ã¯èå³æ·±ãã§ããããããšãã°ãVmwareã®PhotonOSã¯å»æ¥ããRedHatã¯CoreOSãè³Œå ¥ããŠããã®åéã®ãã€ãªãã¢ãšèŠãªãããŠãããããžã§ã¯ããçµäºããŸããã
BottlerocketãAWSãµãŒãã¹ã«çµ±åããããšã§ããã®ã·ã¹ãã ã¯ç¬èªã®æ¹æ³ã§ç¬èªã®ãã®ã«ãªããŸããããããäžéšã®ãŠãŒã¶ãŒãCoreOSãAlpineãªã©ã®ä»ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ãããBottlerocketã奜ãäž»ãªçç±ã§ããå¯èœæ§ããããŸãããã®ã·ã¹ãã ã¯å ã EKSããã³ECSã§åäœããããã«èšèšãããŠããŸãããããããå¿ é ã§ã¯ãããŸããããŸããBottlerocketã¯ç¬ç«ããŠæ§ç¯ããããšãã°ãã¹ãåãœãªã¥ãŒã·ã§ã³ãšããŠäœ¿çšã§ããŸãã次ã«ãEKSããã³ECSãŠãŒã¶ãŒã¯åŒãç¶ãOSãéžæã§ããŸãã
Bottlerocketã®ãœãŒã¹ã³ãŒãã¯ãApache2.0ã©ã€ã»ã³ã¹ã®äžã§GitHubã«å ¬éãããŠããŸããéçºè ã¯ãã§ã«ãã°ã¬ããŒããšæ©èœãªã¯ãšã¹ãã«å¯Ÿå¿ããŠããŸãã
åºå
VDSinaã¯ãæ¯æ¥ã®æ¯æãã§VDSãæäŸããŸããç¬èªã®ã€ã¡ãŒãžãããå«ããä»»æã®ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãã€ã³ã¹ããŒã«ã§ããŸããåãµãŒããŒã¯500ã¡ã¬ãããã®ã€ã³ã¿ãŒããããã£ãã«ã«æ¥ç¶ãããŠãããDDoSæ»æããç¡æã§ä¿è·ãããŠããŸãã